A hub for sharing relational database knowledge and experimentation
Db2 is a bit unusual among RDBMSes in that it does not perform authentication. No matter what, you need some external authority to perform authentication. Usually that is either the OS or LDAP, though there are other options. If using LDAP, either transparent LDAP or security plugins can be used.… Read the rest
Continue reading »
To list the database authorities held by an ID or group – authorities, not privileges. This information is not available in sysibmadm.privileges. The format of syscat.dbauth has columns with ‘Y’ or ‘N’ in them, and reading that quickly to answer the question “What permissions does this ID have?”… Read the rest
Continue reading »
Edit: 01/23/2018 – corrected one word not in an SQL statement.
I have written several other articles on security and permissions, but I thought I would write one from a purely practical perspective. If you don’t understand the basics of how DB2 handles users, authentication, authorization, and privileges, please read Db2 Basics: Users, Authentication, and Authorization.… Read the rest
Continue reading »
Some applications are really good at continually trying to re-establish connections to a database. This can be useful when I want to quickly bounce the database and have the app reconnect without also having to bounce the app. It is problematic when I need DB2 to be down and stay down, but still allow me to work with it.… Read the rest
Continue reading »
Updated 13 September 2016 to use more correct wording around how and when the access plan is generated and reused.
As a new DB2 for LUW DBA or developer it can take a while to understand the difference between static and dynamic SQL.… Read the rest
Continue reading »
I get it. The database server is a single point in many environments that have many points at most levels. Therefore any problem that affects more than one point must be the database.
As DBAs, sometimes we feel the database is under attack.… Read the rest
Continue reading »
Like any software, DB2 requires frequent patching. A database should be one of the most secure parts of any enterprise, and keeping it secure means keeping up with the fixes that are delivered in fix packs.
DB2 delivers many things through fixpacks, including:
IBM delivered Native Encryption in Fix Pack 5 of DB2 10.5.… Read the rest
Continue reading »
This post is not meant to be a comprehensive coverage of security, but an overview such that those newer to DB2 know what areas they may want to research further.
I’ve already covered this in some detail in DB2 Basics: Users, Authentication, and Authorization.… Read the rest
Continue reading »
I’ve recently implemented native encryption for a small database on a server that is somewhat oversized on CPU and memory. One of the things I noticed after encrypting my database was both increased backup duration and increased backup size.
On this particular system, I take compressed DB2 backups to disk, which is later externalized.… Read the rest
Continue reading »
With fixpack 5 of DB2 10.5, IBM introduced Native Encryption for data at rest in DB2. This is a fairly significant new feature for introduction in a fixpack. It does require separate licensing – either the Advanced Edition of ESE or WSE or the separate purchase of the Native Encryption feature.… Read the rest
Continue reading »To go with my recent article on RCAC/FGAC, I thought I would do some similar work using LBAC and see what I could learn about it and the differences between the two.
Label Based Access Control essentially adds a column to a table that labels each row (think confidential, secret, top secret), and then grants uses of those labels to users to allow them to access the data.… Read the rest
Continue reading »DB2 10.1 introduced a new feature commonly called RCAC (Row and Column Access Control) or FGAC(Fine-Grained Access Control). This is a bit less labor intensive to support than LBAC (Label Based Access Control), and solves some of the problems with LBAC.… Read the rest
Continue reading »